When using the JSON::JWK::Set::Fetcher, if a JWKS endpoint returns nothing but a string in double quotes, the contents of those double quotes will be interpreted as a symmetric JWK. As a minimal reproduction:

1. In one terminal, run:

# Basic web server on port 8080 that returns "hello" (in double quotes), and nothing else
$ ruby -e 'require "socket";s=TCPServer.new 8080;loop{c=s.accept;c.gets;c.print "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nContent-Length: 7\r\n\r\n\"hello\"";c.close}'

2. in another terminal, in a pry shell, run:

JSON::JWK::Set::Fetcher.fetch("http://localhost:8080/", kid: nil, auto_detect: false)
# => [{"k" => "hello", "kty" => :oct, "kid" => "c9QtoFTsKPgH6ou94elR1Qgu_yCWUeWEG0dAG-TZWV8"}]

This is pretty unexpected behaviour, but it's also a little worrying in that the RFC enforces that JWKSes have a certain format, but also in that advanced attackers could potentially force a key verification to use a symmetric key that they control.

So, with all that said, this PR makes the JWK::Set::Fetcher do a sense check or two on the structure of the JWKSes it fetches -- basically just ensuring that they're hashes, that they have a keys key, and that the value of keys is an array.